OAuth Certificate via Powershell

If you like PowerShell and have been looking at the ‘Request-CsCertificate’ TechNet site, you’ll notice that it doesn’t say anything about requesting an OAuth certificate anywhere on there. (neither does it mention OAuth on Set-CsCertificate page). And it seems nobody is brave enough to talk about certificate in any detail without using the GUI. (to be fair, I’ve not looked that hard).

I would have thought that OAuth would have been listed on TechNet along with the other types, considering that every single deployment would have one, but I guess it’s only done once.

http://technet.microsoft.com/en-us/library/gg425723.aspx shows the following, it does hint that it “includes, but are not limited to, the following”.. No sign of OAuth.

But you can use -Type OAuth as follows…

Request-CsCertificate -New -Type OAuth -CA "fqdn-of-dc\CA-Name" -FriendlyName "Lync OAuth Certificate" -KeySize 2048 -PrivateKeyExportable $true -Organization "My Lab" -OU "IT" -State "West Midlands" -Country "GB"

1	Request-CsCertificate -New -Type OAuth -CA "fqdn-of-dc\CA-Name" -FriendlyName "Lync OAuth Certificate" -KeySize 2048 -PrivateKeyExportable $true -Organization "My Lab" -OU "IT" -State "West Midlands" -Country "GB"

My above example is sent to an online Certificate Authority, and outputs…

Issued thumbprint "C8E47DE9B3A5E4F8DD8F873148BCDC524647A6E9" for use "OAuthTokenIssuer" by "fqdn\ca-name".

Issuer             : CN=ca-name, DC=domain, DC=internal
NotAfter           : 06/11/2015 15:33:42
NotBefore          : 06/11/2013 15:33:42
SerialNumber       : 2100000005ACE51F7DFDC2C543000000000003
Subject            : CN=fqdn.co.uk, OU=IT, O=My Lab, S=West Midlands, C=GB
AlternativeNames   : {}
Thumbprint         : C8E47DE9B3A5E4F8DD8F873148BCDC524647A6E9
EffectiveDate      :
PreviousThumbprint :
UpdateTime         :
Use                : OAuthTokenIssuer
SourceScope        :

Issued thumbprint "C8E47DE9B3A5E4F8DD8F873148BCDC524647A6E9" for use "OAuthTokenIssuer" by "fqdn\ca-name".

Issuer : CN=ca-name, DC=domain, DC=internal

NotAfter : 06/11/2015 15:33:42

NotBefore : 06/11/2013 15:33:42

SerialNumber : 2100000005ACE51F7DFDC2C543000000000003

Subject : CN=fqdn.co.uk, OU=IT, O=My Lab, S=West Midlands, C=GB

AlternativeNames : {}

Thumbprint : C8E47DE9B3A5E4F8DD8F873148BCDC524647A6E9

EffectiveDate :

PreviousThumbprint :

UpdateTime :

Use : OAuthTokenIssuer

SourceScope :

Instead of specifying -CA you can put -Output certificate.req which will generate a Base64 encoded certificate request which you can send to your offline CA to get issued.

Once you have the certificate, you can use the normal commands to assign that certificate to OAuth.

Set-CsCertificate -Identity Global -Type OAuth -Thumbprint C8E47DE9B3A5E4F8DD8F873148BCDC524647A6E9

1	Set-CsCertificate -Identity Global -Type OAuth -Thumbprint C8E47DE9B3A5E4F8DD8F873148BCDC524647A6E9

The following certificate was assigned for the type "OAuthTokenIssuer":
OAuthTokenIssuer: C8E47DE9B3A5E4F8DD8F873148BCDC524647A6E9 domain.local 11/06/2015 CN=ca-name, DC=domain, DC=local 2100000005ACE51F7DFDC2C543000000000003

1 2	The following certificate was assigned for the type "OAuthTokenIssuer": OAuthTokenIssuer: C8E47DE9B3A5E4F8DD8F873148BCDC524647A6E9 domain.local 11/06/2015 CN=ca-name, DC=domain, DC=local 2100000005ACE51F7DFDC2C543000000000003

And the usual commands to quickly confirm.

Get-CsCertificate | fl Use, Thumbprint

1	Get-CsCertificate \| fl Use, Thumbprint

Use        : OAuthTokenIssuer
Thumbprint : C8E47DE9B3A5E4F8DD8F873148BCDC524647A6E9

1 2	Use : OAuthTokenIssuer Thumbprint : C8E47DE9B3A5E4F8DD8F873148BCDC524647A6E9

It also seems that both OAuth and OAuthTokenIssuer can be used interchangeably.

About Graham Cropley

Leave a Reply Cancel reply

Search

Recent Posts

Archives